preloader

· security exchange microsoft vulnerability email

On-Premises Microsoft Exchange Has an Actively Exploited Zero-Day with No Permanent Fix

Source: Microsoft Community Hub

Microsoft disclosed CVE-2026-42897 on May 14 and confirmed the same day that it is being actively exploited in the wild. The vulnerability is a cross-site scripting flaw in Outlook Web Access for on-premises Exchange Server. An attacker sends a specially crafted email to a target. If that target opens the email in OWA, arbitrary JavaScript executes in their browser session. The attack requires no authentication from the attacker and no elevated privileges. The target only needs to open the email.

The affected versions are Exchange Server Subscription Edition RTM, Exchange Server 2019, and Exchange Server 2016. Exchange Online is not affected. The CVSS score is 8.1. Microsoft deployed an emergency server-side mitigation on May 14, and CISA added the flaw to its Known Exploited Vulnerabilities catalog the following day, requiring US federal agencies to remediate by May 29.

What makes this particularly uncomfortable is the status of the fix. Microsoft’s mitigation is temporary. The advisory states that a permanent patch is in development but does not specify a timeline. Organisations running on-premises Exchange are currently dependent on a server-side workaround that Microsoft controls, with no clear date for a proper resolution.

The exploitation vector is as simple as it gets for this class of vulnerability: send an email and wait for someone to read it in OWA. Organisations where helpdesk staff, executives, or IT administrators read email in Outlook Web Access are directly exposed. The JavaScript execution happens in a browser session that already holds Exchange credentials and session tokens, which gives an attacker meaningful access to the account even without credential capture.

On-premises Exchange continues to carry a disproportionate share of the critical vulnerability load across enterprise email infrastructure. Exchange 2016 and 2019 are both approaching or at end of extended support, yet a significant proportion of organisations running them have not completed migration to Exchange Online. The calculus for staying on-premises has shifted considerably as the support windows close and the patch cadence reveals the continued depth of the attack surface.

The practical steps right now are to apply Microsoft’s emergency mitigation if not already done, audit which users access email via OWA versus the full Outlook client, and assess whether OWA can be restricted or disabled for accounts that do not require it. If your organisation is still on Exchange 2016 or 2019, this vulnerability is also a reasonable prompt to revisit the migration timeline seriously.

If you run on-premises Exchange and want help applying current mitigations, hardening your mail infrastructure, or planning a migration to Exchange Online, contact Excello Digital. We work with businesses at every stage of that process.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!